The Latest / Data Security News

Past Employee Exploits Access Control?

March 16, 2017

An ex-employee of a sportswear brand has been accused of circumventing access control measures for the benefit of his current employers. Columbia Sportswear have filed a complaint to the federal court in Oregon, claiming that former employee, Michael Leeper, plundered its IT systems more than 700 times over a two-year period.

Past employee Exploits Access Control?

Insider knowledge

At the moment, of course, we don’t know the full truth of these claims, that will be for the court to decide; but it’s cases like this that highlight for all to see, the critical importance of strong access control measures when creating cyber security solutions.

Michael Leeper managed the global IT systems at Columbia Sportswear and dealt with a number of third party vendors, including a firm called Denali. In 2014, after 14 years with the company, Leeper left Columbia Sportswear and went to work for Denali.

His former employer now claims that before Leeper left, he created a new account on the organization’s system under the name Jeff Manning. It is accused, that he has since accessed that account remotely to view corporate secrets, emails and other files to give his current employer a competitive edge.

Responding to the complaint, CEO of Denali, Majdi Daher said:

“These claims astonish us, and they in no way reflect Denali or its values. Effective immediately, Mike Leeper has been placed on leave from Denali so that he can focus his energies on defending the claims against him. While on leave, Mike will have no responsibilities with Denali and will not have access to Denali customers, vendors, employees or other data.”

Cyber priorities

We often focus on the outsider threat when it comes to cyber security. But it’s shocking how many incidents come from within an organization, or from former employees who manage to maintain access. That’s the accusation in this instance, and Leeper’s insider knowledge and IT position certainly suggests he had the opportunity and skill set. The court will determine whether he actually committed the intrusion.

For all organizations, strict but flexible Access Control measures to guard against bogus accounts, and diligent user tracking, are what is needed to prevent unauthorized access. Organizations need solutions that can help them detect an unwanted presence lurking around their systems sooner rather than later. Two years seems an awfully long time for a completely fictional account to exist without detection.